Yesterday, </dream.in.code> was subject to a series of attacks that caused all links on the site to reroute to other, potentially dangerous websites, and we also lost a day's worth of data (Posts, PMs, snippets, etc.). Our webmaster, skyhawk133 told us that there was a file with bad permissions that was taken advantage of with an injection script. The server team has since repaired the vulnerability and are fixing any more that they may come across. Let us know if you are experiencing any problems with doing things like uploading files or posting certain text.

Everyone should run a virus scan, as several users have noted that they have found rogue Java programs classified as Trojans. While it may not have been associated with these attacks, it is certainly a good idea to keep your computer safe. Sorry for any harm that may have come.

2 Comments On This Entry

This is actually related to something I done a talk about before as part of my MSc. The attack is known as a java drive by, and its basically an applet which when accepted, will place a remote administration tool into your startup. With this tool, the hacker will be able to access anything on your computer, and have complete control over your computer (view the webcam, turn on your microphone). The way they got it on this site was most likely through a shell uploaded via an sql injection.

Unfortunatly, if this java drive by has been crypted by a FullyUDectectable crypter, then anti virus's will not pick it up (until the threat becomes known by the anti virus companies, which can be weeks, but by that time, the hacker can keep updating the virus your infected with). Still run virus scans, and the best thing to use is mailwarebytes because this is the hardest program for a crypter to bypass.

The main thing you want to do however is check a couple of things manually. Firstly, check your processes, as the virus will be running one. Locate it and stop it.
Next, go into msconfig, and check your start up items. The crypter will add a startup to execute the virus on every reboot. Locate it and remove it.
Also, the actual virus itself can be placed in a few locations, but the most common place is App Data/Local/Roaming (I think thats the correct order). See if it is there and if it is, delete it.

A note on the processes, most virus's will name the process scvhost or some common name, so dont discount these processes which you would normally presume normal. If you have multiple processes of the same name, make sure one of them isnt using a lot of resources. If it is, it is most likely the virus. Right click on it, open file location, and you should be able to tell if it is the virus or not (by where the file is placed).

Trust me, If the virus is crypted, it will not be picked up by Av's (unless its a known threat) and you need to do the above steps. I spent 2 years studying this topic, including spending a lot of time in hacking forums. I also had to test all these tools locally to show as part of my disertation. If you decompile the applet that was placed on this server, I guarentee you will find some code which executes an exe (the virus).

Anyone having problems, hit me up and I will advise you. There are some specialised tools which can be used to remove it automatically.